通过

How to figure out the services hosted in a svchost.exe in kernel memory dump.

  • 项目

Hi guys, this is Justin from APAC escalation team, in this short article I am going to share a small trick on how to figure out the services hosted in svchost.exe in kernel memory dump.

- Debugger outputs the dump type when we open the dump file.

Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

- List all the svchost.exe process in the system.

kd> !process 0 0 svchost.exe
...
PROCESS ffffc0033fe4b780
SessionId: 0  Cid: 1c28    Peb: 5b10682000  ParentCid: 02ec
DirBase: 96c38000  ObjectTable: ffff8607051552c0  HandleCount: <Data Not Accessible>
Image: svchost.exe
...

- Output more information about the svchost.exe we want to check.

kd> !process ffffc0033fe4b780 1
PROCESS ffffc0033fe4b780
SessionId: 0  Cid: 1c28    Peb: 5b10682000  ParentCid: 02ec
DirBase: 96c38000  ObjectTable: ffff8607051552c0  HandleCount: <Data Not Accessible>
Image: svchost.exe
VadRoot ffffc0033fe58620 Vads 241 Clone 0 Private 4527. Modified 5484. Locked 169.
DeviceMap ffff8606fe946fb0
Token                             ffff860706b91060
ElapsedTime                       02:00:58.188
UserTime                          00:00:00.062
KernelTime                        00:00:00.078
QuotaPoolUsage[PagedPool]         141256
QuotaPoolUsage[NonPagedPool]      40560
Working Set Sizes (now,min,max)  (1573, 50, 345) (6292KB, 200KB, 1380KB)
PeakWorkingSetSize                8712
VirtualSize                       2097352 Mb
PeakVirtualSize                   2097352 Mb
PageFaultCount                    17047
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      16033

- Here we use the address of VadRoot. VAD is  short for Virtual Address Descriptor. It is a data structure used to describe a section of virtual memory in Windows kernel. We can use !vad command to output all the VADs in a specific process. There are 241 VADs allocated for this process. Because the VADs are organized into a AVL tree, so we can see some extra information about VADs like levels. To figure out the services hosted in this process, the important information here are the mapped dlls. In this process there is a mapped dll named PeerDistHttpTrans.dll and this is a dll for PeerDistSvc service in Windows 10.

2: kd> !vad ffffc0033fe58620
VAD           Level     Start       End Commit
ffffc0033fd73180  7     7ffe0     7ffef     -1 Private      READONLY
ffffc0033fdc0010  6   5b10600   5b107ff     39 Private      READWRITE
ffffc0033db93b30  7   5b10800   5b1087f     12 Private      READWRITE
ffffc0033f9f07e0  5   5b10a80   5b10b7f     11 Private      READWRITE
ffffc0033f577980  7   5b10b80   5b10c7f     11 Private      READWRITE
ffffc0033f62bae0  6   5b10c80   5b10d7f     11 Private      READWRITE
ffffc0033fa22650  7   5b10d80   5b10e7f     11 Private      READWRITE
ffffc0033fc599b0  4   5b10e80   5b10f7f     11 Private      READWRITE
ffffc0033fadb7a0  6   5b10f80   5b1107f     11 Private      READWRITE
ffffc0033fe5d1e0  5   5b11280   5b1137f     11 Private      READWRITE
ffffc0033f7a7fc0  3   5b11480   5b1157f     11 Private      READWRITE
ffffc0033f9f1ee0  7   5b11580   5b115ff     19 Private      READWRITE
ffffc0033fe323d0  6   5b11600   5b1167f     19 Private      READWRITE
ffffc0033f49e1c0  7   5b11680   5b116ff     19 Private      READWRITE
ffffc0033eac72b0  5   5b11780   5b1187f     11 Private      READWRITE
ffffc0033b81b670  6   5b12780   5b127ff     11 Private      READWRITE
ffffc00340cfe720  4   5b12800   5b1287f     11 Private      READWRITE
ffffc003400d42f0  7   5b12880   5b128ff     11 Private      READWRITE
ffffc0034414bdf0  6   5b12900   5b1297f     11 Private      READWRITE
ffffc0033efb5350  7   5b12980   5b129ff     11 Private      READWRITE
ffffc0033b5f34d0  8   5b12a00   5b12a7f     11 Private      READWRITE
ffffc0033fe42610  5  212d92b0  212d92bf      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033d228280  6  212d92c0  212d92c1      0 Mapped       READONLY           Pagefile section, shared commit 0x2
ffffc0033fe38850  7  212d92d0  212d92e5      0 Mapped       READONLY           Pagefile section, shared commit 0x16
ffffc0033fe454a0  2  212d92f0  212d92f3      0 Mapped       READONLY           Pagefile section, shared commit 0x4
ffffc0033fe45290  7  212d9300  212d9300      0 Mapped       READONLY           Pagefile section, shared commit 0x1
ffffc0033fe3f050  6  212d9310  212d9311      2 Private      READWRITE
ffffc0033f7badf0  7  212d9320  212d93e0      0 Mapped       READONLY           \Windows\System32\locale.nls
ffffc0033fc93e70  5  212d93f0  212d93f0      0 Mapped       READWRITE          Pagefile section, shared commit 0x1
ffffc0033f64e0e0  6  212d9400  212d9400      1 Private      READWRITE
ffffc0033fdf2a80  4  212d9410  212d9410      1 Private      READWRITE
ffffc0033f9cd710  6  212d9420  212d9420      0 Mapped       READONLY           Pagefile section, shared commit 0x1
ffffc0033fd00680  5  212d9430  212d9430      0 Mapped       READONLY           Pagefile section, shared commit 0x1
ffffc0033fb1a280  7  212d9440  212d9445      0 Mapped       READONLY           \Windows\Registration\R00000000000d.clb
ffffc0033dcf1a70  6  212d9450  212d945f      1 Private      NO_ACCESS
ffffc0033fe619f0  7  212d9460  212d9460      1 Private      READWRITE
ffffc0033fe6f160  3  212d9470  212d947c      3 Private      READWRITE
ffffc0033fe88520  6  212d9480  212d948f      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033fa7d6c0  5  212d9490  212d949f      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033e9ef190  6  212d94a0  212d94af      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033f85ec40  4  212d94b0  212d94bf      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033fe354b0  6  212d94c0  212d94cf      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033feaef70  5  212d94d0  212d94df      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033fe83d50  6  212d94e0  212d94e0      0 Mapped       READWRITE          Pagefile section, shared commit 0x1
ffffc0033fa3be40  7  212d94f0  212d94f7      8 Private      READWRITE
ffffc0033fdf1e50  1  212d9500  212d95ff    247 Private      READWRITE
ffffc0033fe45040  5  212d9600  212d96bf      0 Mapped       READONLY           Pagefile section, shared commit 0x7
ffffc0033fe362e0  6  212d96c0  212d96cf     16 Private      READWRITE
ffffc0033fe74160  4  212d96d0  212d96dc      2 Private      READWRITE
ffffc0033fadbd90  6  212d96e0  212d96ef      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033f67b7f0  5  212d96f0  212d96ff      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033faebf70  6  212d9700  212d970f      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033dcbd900  3  212d9710  212d971f      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033e1988a0  6  212d9720  212d972f      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033fb2a700  5  212d9730  212d973f      0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc0033d396a40  6  212d9740  212d978e      0 Mapped       READWRITE          Pagefile section, shared commit 0x4f
ffffc0033fe75160  4  212d9790  212d979c      1 Private      READWRITE
ffffc0033feaed40  7  212d97a0  212d97ee     79 Private      READWRITE
ffffc0033f7a2e70  6  212d97f0  212d97ff     16 Private      READWRITE
ffffc0033fe76160  7  212d9800  212d98ff      7 Private      READWRITE
ffffc0033fe3cc60  5  212d9900  212d99ff    241 Private      READWRITE
ffffc0033fe383b0  6  212d9a00  212d9b87      0 Mapped       READONLY           Pagefile section, shared commit 0x7
ffffc0033fded530  2  212d9b90  212d9d10      0 Mapped       READONLY           Pagefile section, shared commit 0x181
ffffc0033fd91740  7  212d9d20  212da118      0 Mapped       READONLY           Pagefile section, shared commit 0x3f9
ffffc0033fdf1330  6  212da120  212da21f      4 Private      READWRITE
ffffc0033fdff490  7  212da220  212da556      0 Mapped       READONLY           \Windows\Globalization\Sorting\SortDefault.nls
ffffc0033fe77530  5  212da560  212dc561   8193 Private      READWRITE
ffffc0033fe7b770  7  212dc570  212dc66f      1 Private      READWRITE
ffffc0033fe7c880  6  212dc670  212dc771    257 Private      READWRITE
ffffc0033fb0cdc0  7  212dc780  212dc7b5      1 Private      READWRITE
ffffc0033fa8f690  4  212dc7c0  212dc7c0      1 Private      READWRITE
ffffc0033f97e4a0  6  212dc7d0  212dc7d0      1 Private      READWRITE
ffffc0033feb12a0  5  212dc7e0  212dc7e1      2 Private      READWRITE
ffffc0033fe579f0  7  212dc7f0  212dc7f0      1 Private      READWRITE
ffffc0033fda99f0  6  212dc800  212dc8ff    157 Private      READWRITE
ffffc0033fe6d280  3  212dc900  212dc9ff     76 Private      READWRITE
ffffc0033fdff7a0  7  212dca00  212dcb11    274 Private      READWRITE
ffffc0033fe4e420  6  212dcb20  212dcc1f    256 Private      READWRITE
ffffc0033fe83c10  7  212dcc20  212dcd1f    256 Private      READWRITE
ffffc0033d3968a0  5  212dcd20  212dce1f    256 Private      READWRITE
ffffc0033fea3aa0  7  212dce20  212dcf1f    256 Private      READWRITE
ffffc0033dcf4790  6  212dcf20  212dcf2f     16 Private      READWRITE
ffffc0033f9e5870  7  212dcf30  212dcf37      8 Private      READWRITE
ffffc0033f8aa260  4  212dcf40  212dcf41      2 Private      READWRITE
ffffc0033f923470  7  212dcf50  212dcfaf      0 Private      READWRITE
ffffc0033eb14300  6  212dcfb0  212dcfb1      2 Private      READWRITE
ffffc0033be8fcc0  7  212dcfc0  212dcfc0      1 Private      READWRITE
ffffc0033feaff70  5  212dcfd0  212dcfdf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fe09c30  6  212dcfe0  212dcfef      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fec3490  7  212dcff0  212dcfff      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fe58620  0  212dd000  212dd0ff    233 Private      READWRITE
ffffc0033daa28d0  7  212dd100  212e10ff   3027 Private      READWRITE
ffffc0033eb2a270  6  212e1100  212e1293    404 Private      READWRITE
ffffc0033e198800  7  212e12a0  212e13f3      0 Mapped       READONLY           Pagefile section, shared commit 0x154
ffffc0033f9d3b90  5  212e1400  212e14ff      1 Private      READWRITE
ffffc0033fb135b0  7  212e1500  212e1a0f      2 Private      READWRITE
ffffc0033fec28f0  6  212e1a10  212e1a1f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fe57f70  7  212e1a20  212e1a2f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fe57ed0  4  212e1a30  212e1a3f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fe57e30  7  212e1a40  212e1a4f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fad7f70  6  212e1a50  212e1a5f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fad7ed0  7  212e1a60  212e1a6f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fad7e30  5  212e1a70  212e1a7f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fad7d90  7  212e1a80  212e1a8f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033a890010  6  212e1a90  212e1a9f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033a890200  7  212e1aa0  212e1aaf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033a890160  3  212e1ab0  212e1abf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033a8900c0  7  212e1ac0  212e1acf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033feb4010  6  212e1ad0  212e1adf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fc368c0  7  212e1ae0  212e1aef     16 Private      READWRITE
ffffc0033feafa90  5  212e1af0  212e1aff     16 Private      READWRITE
ffffc0033fad7c20  7  212e1b00  212e1b0f     16 Private      READWRITE
ffffc0033feb40e0  6  212e1b10  212e1b1f     16 Private      READWRITE
ffffc0033fec57a0  7  212e1b20  212e1b2f     16 Private      READWRITE
ffffc0033f71bd40  4  212e1b30  212e1b37      8 Private      READWRITE
ffffc0033f71bca0  7  212e1b40  212e1b4f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fecdcf0  6  212e1b50  212e1b5f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fecdca0  7  212e1b60  212e1b6f     16 Private      READWRITE
ffffc0033fec57f0  5  212e1b70  212e1b7f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fecf8f0  7  212e1b80  212e1b87      8 Private      READWRITE
ffffc0033fecce00  6  212e1b90  212e1b97      8 Private      READWRITE
ffffc0033fa92b30  7  212e1ba0  212e1baf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fa655a0  2  212e1bb0  212e1bbf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033f8e2660  7  212e1bc0  212e1bcf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fee4a10  6  212e1bd0  212e1bdf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033feb4d30  7  212e1be0  212e1bef      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033feb4bb0  5  212e1bf0  212e1bff      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fed34f0  7  212e1c00  212e1c0f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub\PeerDistRepubStoreCatalog.pds
ffffc0033fb0b3c0  6  212e1c10  212e1c10      1 Private      READWRITE
ffffc0033faa11d0  7  212e1c20  212e1c20      1 Private      READWRITE
ffffc0033fb3b640  4  212e1c30  212e1dc3    404 Private      READWRITE
ffffc0033f9481d0  7  212e1dd0  212e1dd1      2 Private      READWRITE
ffffc0033eac29c0  6  212e1de0  212e1de0      1 Private      READWRITE
ffffc0033e7fe2a0  7  212e1df0  212e22ff      1 Private      READWRITE
ffffc0033fec7c80  5  212e2300  212e2307      8 Private      READWRITE
ffffc0033d341560  7  212e2310  212e2311      2 Private      READWRITE
ffffc0033fed29d0  6  212e2320  212e237f      0 Private      READWRITE
ffffc0033f97a550  7  212e2380  212e2381      2 Private      READWRITE
ffffc0033fab8bc0  3  212e2390  212e2390      1 Private      READWRITE
ffffc0033fee74e0  7  212e23a0  212e23af      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033febdf70  6  212e23b0  212e23bf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fec33f0  7  212e23c0  212e23cf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033e9ef0f0  5  212e23d0  212e23df      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fec7eb0  7  212e23e0  212e23ef      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fee6760  6  212e23f0  212e23ff      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fee45e0  7  212e2400  212e240f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feeb890  4  212e2410  212e241f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feba450  8  212e2420  212e242f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feb7cc0  7  212e2430  212e243f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feb7c20  8  212e2440  212e244f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feb7b80  6  212e2450  212e245f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fee6010  8  212e2460  212e246f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fee61d0  7  212e2470  212e247f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fee6130  8  212e2480  212e248f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feeceb0  5  212e2490  212e249f      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feece10  8  212e24a0  212e24af      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feecd70  7  212e24b0  212e24bf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033feeccd0  8  212e24c0  212e24cf      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fed9970  6  212e24d0  212e24df      8 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub\PeerDistPubCatalog.pds
ffffc0033fd2dc20  7  212e2500  212e25ff     51 Private      READWRITE
ffffc0033fe38990  1 7df5ff0b0 7ff5ff0af      1 Mapped       NO_ACCESS          Pagefile section, shared commit 0
ffffc0033fde53d0  8 7ff69d760 7ff69d85f      0 Mapped       READONLY           Pagefile section, shared commit 0x5
ffffc0033fe388f0  7 7ff69d860 7ff69d882      0 Mapped       READONLY           Pagefile section, shared commit 0x23
ffffc0033fde56e0  6 7ff69da60 7ff69da6d      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\svchost.exe
ffffc0034435b210  8 7ff8ecca0 7ff8ecce1      6 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\adsldp.dll
ffffc0033fe56a90  7 7ff8ed080 7ff8ed094      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\OnDemandConnRouteHelper.dll
ffffc0033dd1e400  8 7ff8ee920 7ff8eec11     13 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\esent.dll
ffffc0033fe750c0  5 7ff8f1120 7ff8f112c      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\httpapi.dll
ffffc0033fdff260  7 7ff8f7910 7ff8f7951      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\adsldpc.dll
ffffc0033fb0c870  8 7ff8f8830 7ff8f8841      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\PeerDistHttpTrans.dll
ffffc0033fe8c3d0  6 7ff8f8ac0 7ff8f8b69      7 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\WSDApi.dll
ffffc0033fcb0290  8 7ff8f8b70 7ff8f8ba1      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\PeerDistWSDDiscoProv.dll
ffffc0033faebc50  7 7ff8f8bb0 7ff8f8bd6      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ddptrace.dll
ffffc0033faebcf0  8 7ff8f8be0 7ff8f8c1c      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ddpchunk.dll
ffffc0033fe83a80  4 7ff8f8c20 7ff8f8e00      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\PeerDistSvc.dll
ffffc0033fe70260  6 7ff8f99c0 7ff8f9a04      7 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\activeds.dll
ffffc0033feab6a0  7 7ff8fcc20 7ff8fcc2d      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\npmproxy.dll
ffffc0033fe6ac30  5 7ff8fd570 7ff8fd5a6      8 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\fwpolicyiomgr.dll
ffffc0033fc42180  7 7ff8fd5d0 7ff8fd605      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\netprofm.dll
ffffc00340a763c0  8 7ff8fd7c0 7ff8fd7c9      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\rasadhlp.dll
ffffc0033fdfed30  6 7ff8fddc0 7ff8fddd7      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\netapi32.dll
ffffc00343920be0  8 7ff8fe350 7ff8fe35c      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\dsparse.dll
ffffc0033dd56cd0  7 7ff8fe8b0 7ff8fe8bd      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\PeerDistAD.dll
ffffc0033de49800  8 7ff8fea30 7ff8fea65      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\xmllite.dll
ffffc0033fded410  3 7ff901310 7ff90131a      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ktmw32.dll
ffffc0033fcb86e0  7 7ff901a80 7ff901a99      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\dhcpcsvc.dll
ffffc0033fde5d80  6 7ff901c10 7ff901c25      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\dhcpcsvc6.dll
ffffc0033e9ef730  8 7ff902410 7ff9024dc      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\winhttp.dll
ffffc0033b006250  7 7ff902f30 7ff902f99      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\FWPUCLNT.DLL
ffffc0033ebe1910  8 7ff9032d0 7ff9032da      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\winnsi.dll
ffffc0033fe694f0  5 7ff9032e0 7ff90331d      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\logoncli.dll
ffffc0033fe8a940  6 7ff9036d0 7ff903731      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\wevtapi.dll
ffffc0033fe68d60  7 7ff904680 7ff9046a6      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\sppc.dll
ffffc0033f9e4430  4 7ff9046b0 7ff9046d5      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\slc.dll
ffffc0033d33b350  7 7ff9049c0 7ff9049ea      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\fwbase.dll
ffffc0033d2cee10  6 7ff904c40 7ff904cc5      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\FirewallAPI.dll
ffffc0033fe6c420  5 7ff904ed0 7ff904ef2      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\gpapi.dll
ffffc0033fe29f70  6 7ff905100 7ff905113      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\wldp.dll
ffffc0033fe6f3f0  2 7ff9051a0 7ff9051e9      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\authz.dll
ffffc0033fe7e260  8 7ff905330 7ff90533b      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\secur32.dll
ffffc0033fb56930  7 7ff905450 7ff905482      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\rsaenh.dll
ffffc0033dd0ceb0  8 7ff905610 7ff905760      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\webservices.dll
ffffc0033fe70d20  6 7ff9058f0 7ff905927      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\IPHLPAPI.DLL
ffffc00340dc8920  8 7ff905930 7ff9059d0      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\dnsapi.dll
ffffc0033fe69590  7 7ff9059e0 7ff9059ec      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\netutils.dll
ffffc0033fe75010  8 7ff9059f0 7ff905a0e      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\userenv.dll
ffffc0033fcba9e0  5 7ff905b60 7ff905bbb      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\mswsock.dll
ffffc0033b480750  7 7ff905bc0 7ff905caf     12 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\kerberos.dll
ffffc0033fdfe760  6 7ff905d20 7ff905d2a      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\cryptbase.dll
ffffc0033fe42310  4 7ff905d40 7ff905d56      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\cryptsp.dll
ffffc00343bcf230  8 7ff905d60 7ff905d74      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\cryptdll.dll
ffffc0033fe6f350  7 7ff905e60 7ff905e8a      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\bcrypt.dll
ffffc0033fca04c0  6 7ff905f80 7ff905fab      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\sspicli.dll
ffffc0033b4ab520  7 7ff906150 7ff9061e7      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\sxs.dll
ffffc0033fe75bf0  5 7ff906280 7ff906293      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\profapi.dll
ffffc0033fb0e6d0  8 7ff9062a0 7ff9062ae      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\kernel.appcore.dll
ffffc0033fde5590  7 7ff9062b0 7ff9062bf      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\msasn1.dll
ffffc0033fe8f6c0  6 7ff9062c0 7ff90630b      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\powrprof.dll
ffffc0033faaa9c0  7 7ff906310 7ff906491      8 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\gdi32full.dll
ffffc0033fe4e1d0  3 7ff9064a0 7ff906594      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ucrtbase.dll
ffffc0033fe2fcf0  8 7ff9065a0 7ff9065f4      3 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\wintrust.dll
ffffc0033faa14a0  7 7ff906650 7ff9066b9      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\bcryptprimitives.dll
ffffc0033fe3c8b0  6 7ff906770 7ff90698c      8 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\KernelBase.dll
ffffc0033fe32500  7 7ff906990 7ff906b58     10 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\crypt32.dll
ffffc0033f980380  8 7ff906b60 7ff906bfb      6 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\msvcp_win.dll
ffffc0033fe75c90  5 7ff906cb0 7ff906ccd      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\win32u.dll
ffffc0033faaa920  8 7ff9073b0 7ff907514      6 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\user32.dll
ffffc0033fe66d20  7 7ff907520 7ff907589      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ws2_32.dll
ffffc0033fe71260  8 7ff907590 7ff9075eb      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\Wldap32.dll
ffffc0033f9e2f10  6 7ff907610 7ff9076ce      6 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\oleaut32.dll
ffffc0033fb0d200  7 7ff9077d0 7ff90786e      9 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\clbcatq.dll
ffffc0033f4f3280  4 7ff907870 7ff90791a      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\kernel32.dll
ffffc0033fde5990  7 7ff909080 7ff9090d8      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\sechost.dll
ffffc0033fe4a160  8 7ff9090e0 7ff9090e7      2 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\nsi.dll
ffffc0033fe88350  6 7ff909290 7ff909331      9 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\advapi32.dll
ffffc0033fe81a80  7 7ff909370 7ff9094a6      6 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ole32.dll
ffffc0033fe426c0  5 7ff9094b0 7ff90954d     10 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\msvcrt.dll
ffffc0033faa1400  8 7ff909550 7ff909583      4 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\gdi32.dll
ffffc0033fe37590  7 7ff909590 7ff909857      9 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\combase.dll
ffffc0033fe8a350  6 7ff909cf0 7ff909e10      5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\rpcrt4.dll
ffffc0033fde5640  7 7ff909e20 7ff909ff0     14 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ntdll.dll
Total VADs: 241, average level: 7, maximum depth: 8
Total private commit: 0x3e1c pages (63600 KB)
Total shared commit:  0x7a3 pages (7820 KB)

-Justin